Malvertising 101: When You Become the Product

How malware-advertising works & how you can avoid it

Malvertising, or malware-advertising, is a type of infection that has been making headlines for several years. It isn't relegated to some lonesome, dusty corner of the internet: major corporations and household names have been affected, from The Onion to Spotify to The New York Times.

Perhaps most concerningly, while traditional viruses, like vampires, have to be invited in with a click, some malvertisement requires no action on your part—it only needs to load on the page you're viewing before infecting your computer. Once in, they can deploy anything from cryptomining scripts (why are these a problem?) to ransomware.

Often malvertisement will be submitted through legitimate ad agencies, with the hope that the suspicious redirect will slip by unnoticed. By infiltrating extremely popular and respected sites (eBay, Yahoo,and many, many others) it can reach a much larger audience.

The threat has also grown exponentially over the past decade, increasing by over 300% in some single years alone.

What Happens When You View a Malvertisement?

First, an infected graphic file is submitted to an ad agency, sometimes along with other legitimate files that act as camouflage. Once approved, these ads are served to legitimate (and unsuspecting) websites. Frequently, these ads will have strong calls-to-action or provoke strong emotional responses, encouraging viewers to click. Once clicked they redirect the user; since this is expected from an ad click, the user is unaware that the redirection is downloading a virus in the background. More advanced forms of malware can simply save into the browser's cache, bypassing the need for a click.

It can be even worse on mobile devices, since many people don't take the same precautions or have the same firewalls on their phone that they would have on their laptop.

The Many Forms of Malvertisement

Malvertising can be divided into a few separate categories:

Rogue Security: Often in the form of pop-up ads, this usually alerts the user that their computer has been compromised and they need to download a free "anti-virus" program, which contains the malware payload.

Drive By Downloads: This requires no action from the user at all. Even without clicking on the ad, the ad is loaded and saved into your browser cache, making it into your computer through a sneaky backdoor without you ever clicking a finger.

SEO Poisoning: More of a cousin of malvertising, SEO poisoning jumps on a popular search term and creates a malicious website using popular search engine optimization tactics so that it shows up prominently on search engines.

Not Going Away

While malvertising has lately been overshadowed by other more prominent crimes taking place on the web, like ransomware, it hasn't gone anywhere. In late 2017, a group of criminals operating under the code name Zirconium pleaded guilty to creating 28 fake ad agencies in order to spread malicious ads. These 28 agencies had an extensive fictional backdrop in order to look legitimate, with the creators going as far as creating fake Linkedin profiles for their CEOs. The work paid off: the ads ended up netting them over 1 billion in ad views. It's believed that about 2.5 million users who encountered these ads were redirected to a malicious site, either through tech support scams or pages offering software updates or software installers.

How Do You Avoid Malvertisements?

While the threat is real, there are some things that internet users can do to avoid becoming an unwitting victim.

For users:

Keep programs updated. In particular, programs like Adobe Flash or Silverlight, which auto-runs on some websites, is vulnerable. By ensuring your version is up-to-date, you can make sure you don't have the vulnerabilities that make it easy for hackers to exploit.

Install an Adblocker. An adblocker is an extremely effective method of protecting against malvertisement: if the ad never loads, the scripts can't run and save into your cache. Unfortunately, Ad blocking results in $781 million in lost revenue, disproportionately affecting small businesses that rely on that revenue in order to operate.

For webpage owners:

Work with a reputable ad company. Check the ads being run on your site to see if they run any suspicious scripts. If you suspect you're being used for malicious adware, don't wait. Flag the ad; any company worth their salt will replace it. If this happens frequently, change ad companies. Your reputation is worth more.

Invest in a watchdog. Companies like Geodge and Media Trust have add-ons that search for suspicious script and inform you of malicious ads.

There's a lot at stake in figuring this out: at least $229.25 billion in U.S. dollars was spent on digital advertising in 2017. It's estimated that the average person is exposed to anywhere between 4,000 and 10,000 ads per day—the vast majority of those views happening online. If you're even a casual internet user, you're a hot commodity: the average spent on digital advertisements in the US in 2017 was $303 per internet user. That's a lot of money to try and get your attention!

Luckily, new browser security features are already catching up. The new Chrome 64 update blocks the forced redirect that Zirconium relied on, and new browser features protect against many of these older Achilles' heels.

Subscribe to our Newsletter

Get the latest from ExtraHop delivered straight to your inbox.